With the COVID-19 virus now officially declared a pandemic by the World Health Organisation, companies around the world have encouraged their employees to work from home to protect their health and support government measures aimed to curb the spread of the virus. However, while many organisations have long been exploring the possibilities offered by remote work, few have allowed all their employees to work from home at the same time for extended periods of time.
The new reality imposed by the current health crisis means many companies’ entire workforce will be working remotely under lockdown measures for weeks, with the possibility that the situation will extend months further into spring and early summer.
Some organisations have been more prepared than others for this eventuality and have long had emergency and business continuity plans in place. Many others though, have hastily put together a work from home plan which, while meant to ensure that employees can continue to perform their duties for the duration of the crisis, often fail to consider two vital points: data protection and the risk of noncompliance with data protection legislation.
Protecting data while working remotely
Many data protection strategies focus on company networks and are therefore restricted to office perimeters. This means that all the devices being taken out of the office for remote work will lose most of their protection and compliance policies once they are out of the workplace.
One way of ensuring data protection policies remain in place even when employees work remotely is to apply them on the endpoint, meaning that data protection software is installed directly on the devices rather than at network level. In this way, policies will stay active no matter where the devices are located. This is ideal, especially for companies that have had no time to configure a Virtual Private Network (VPN), and employees will have to use their own private WiFi networks to connect to the internet.
Encryption is also an essential part of secure remote work, ensuring that, if devices are stolen or forgotten while outside the office, anyone getting ahold of them cannot access any data on them. Many computers come with native encryption tools, and companies are strongly encouraged to request that their employees use them.
Home office compliance
Given the state of emergency, compliance has taken a back seat to considerations surrounding employees’ wellbeing and the need to continue business operations remotely. This instinct to overlook data protection as negligible in case of extreme circumstances goes against one of the fundamental principles of the new wave of data protection legislation spearheaded by the EU’s General Data Protection Regulation (GDPR): data protection by design and by default. It means that data protection is no longer an afterthought that companies can choose to incorporate in their strategies depending on a given situation, but needs to be one of the foundations of business operations.
Working remotely, especially for organisations with no solid remote work plans in place, will mean that data will become more vulnerable. Malicious outsiders are likely to take advantage of the chaos leading to an increase in external attacks. Employees, freed from the restrictive policies of company networks, may also slacken their security practices and endanger the data they take home with them.
Tools like Data Loss Prevention (DLP) solutions applied at the endpoint level can support remote compliance through their focus on special categories of data protected by data-protection legislation as opposed to the overall devices the data is stored on. By applying policies directly to sensitive data, DLP tools help companies monitor and control the transfer and use of personal information remotely, ensuring that it is not sent outside the company or uploaded to unauthorised third party services.The author is Channel Manager at CoSoSys, developer of endpoint centric Data Loss Prevention (DLP) solutions and security software.